Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.
from the another-threat-to-democratized-speech dept
People tend to think of the GDPR as regulation companies must comply with. But thanks to a decision by the Court of Appeals for the EU earlier this month, there's particular reason to believe that ordinary Internet users will need to worry about complying with it as well.
In this decision the court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of its visitors' data. And, as such, the administrator must comply with applicable data processing regulations – which necessarily include the GDPR.
The fan page at issue in this case appears to be run by some sort of enterprise, "Wirtschaftsakademie." But fan pages aren't always run by companies: as the court acknowledges, they are often run by individuals or small groups of individuals. Yet there doesn't appear to be anything in the ruling that would exempt them from its holding. Indeed, the court recognizes that its decision would inherently apply to them:
Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market user data a processor of the data for visitors to its page, and thus jointly responsible with Facebook for its handling.
The problem is, compliance with data protection regulations like the GDPR is no simple matter. In fact, as this article suggests, the decision also potentially makes it even more complicated and expensive by expanding the jurisdiction of individual member states' data protection authorities (which was something that EU-wide regulation like the GDPR was actually supposed to minimize).
[Eduardo] Ustaran expressed concern in his 2017 post about the potential for local DPAs’ authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR’s one-stop shop goal.
But even without this change to the GDPR's enforcement operation, the burdens of compliance were already a matter of concern. As discussed previously, compliance with the GDPR is difficult and expensive for even well-resourced companies. It's not something that individual Internet users are going to be able to easily manage, and that's a problem, because who would want to set up a Facebook fan page if doing so opened yourself up to such a crippling compliance burden?
Which leads to the essential problem here. Some cheer the GDPR because it puts user privacy front and center as a policy priority. In and of itself, there's nothing wrong with doing so – in fact, it's an idea whose time has come. But it doesn't matter how well-intentioned a law is if instead of merely regulating otherwise lawful activity it ends up suppressing it. And it's especially problematic when that activity is expressive. Even if chilling expression weren't the intent, if that's the effect, then there is something wrong with the regulation.
Furthermore, while it's bad enough if regulation chills the expressive activity of those well-resourced companies better able to navigate complex and costly compliance requirements, it's even worse if it chills the lawful and even desirable expressive activity of ordinary individuals. One of the things an Internet platform like Facebook does, and does well, is encourage the casual expression of ordinary people. If you have things to say, these platforms make it easy to say them to other people without you needing to invest in corporate structure or technical infrastructure before doing so. These are tools that help democratize expression, which ordinarily is something places claiming to value the principles of free expression should want to support. In fact, the more the antipathy against big companies, the more they should want to ensure that independent voices can thrive.
But instead we're seeing how all this regulation targeted at those big companies instead attacks regular people trying to speak online. We've seen the same problem with SESTA/FOSTA too, where individual online speakers suddenly find themselves risking legal liability for how they interact with other speakers online. And now it's happening again in the GDPR context, where the very regulation ostensibly intended to protect people online now threatens to silence them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data controller, eu, fan pages, gdpr, privacy, social media
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
What a #&*#$&#!! mess...
The conclusion I've come to is that due to the massive ambiguity and strict requirements, compliance is pretty much completely impossible. Businesses should just resign themselves to the fact that if they annoy the EU or an individual EU government enough, they might be selected for a GDPR prosecution, which the company will almost surely lose.
It's not a stretch to guess that the EU will favor non-EU companies for enforcement actions, preferably ones with large-enough EU operations that the company can't afford to just give 'em the finger and cease operating in the EU.
[ link to this | view in chronology ]
Re: What a #&*#$&#!! mess...
[ link to this | view in chronology ]
Re: Re: What a #&*#$&#!! mess...
[ link to this | view in chronology ]
Re: What a #&*#$&#!! mess...
[ link to this | view in chronology ]
Maybe a stupid question
This is not a theoretical question. We have a site that markets to very small geographic locations in the US. It would be very difficult, but not impossible for a EU citizen to sign up although it would not be possible for the EU citizen to receive any benefits from joining.
[ link to this | view in chronology ]
Re: Maybe a stupid question
You are strongly urged to retain the services of a competant attorney licensed in your jurisdiction in order to obtain professional advice tailored to your circumstances.
[ link to this | view in chronology ]
Re: Re: Maybe a stupid question
[ link to this | view in chronology ]
Re: Re: Re: Maybe a stupid question
[ link to this | view in chronology ]
Re: Re: Re: Re: Maybe a stupid Firewall
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Maybe a stupid Firewall
As for your question, it genuinely depends on which software you're using and how thorough you want to be. There are ways to blacklist, software like Wordpress provides plugins which make it easy, else you might be better off asking your hosting provider. All details you need are easy to search for if you are running your own platform.
The biggest problem with doing this is that IP geolocation data is not always accurate, so you might inadvertently ban some non-EU members. Plus, of course, users can always fake their IP or use a VPN and I'm not sure what the implications are if they do that - I presume you'd not be liable if a user is lying to you or you collect data while they're physically in the US, but you never know with this kind of thing.
[ link to this | view in chronology ]
Re: Maybe a stupid question
[ link to this | view in chronology ]
Power causes a form of brain damage.
The like to pretend the internet is subject to their rule & only they have the right to say what is right or wrong.
Maybe if they spent less time trying to police the internet & more time looking at the chaos they are causing their citizens they would be afraid of being replaced.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Premise is all sites get personal info -- only true if mercenary
Meaning want MONEY. You can put out your views for free and not gather any info at all, without least trouble.
BUT as one comment nearly got to: when you expect to gain money from the site and collect personal info of "users" in order to gain money, even indirectly from your "friend" Google splattering advertising all over everyone's screen and tracking them over teh internets, then you become a business, and deserve to be regulated.
Money changes everything.
[ link to this | view in chronology ]
Re: Premise is all sites get personal info -- only true if mercenary
You jackass.
[ link to this | view in chronology ]
I really don't know, placing your business in the hands of a 3rd party, helping zuckerbergs Man in the Middle attack on the internet.
Oh in the context of GDPR, well the text says it applies to personal data about EU natural persons. Why would it matter the treason you collect data, it's still there and still needs protecting (from poor storage or from being sold).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
e-mail / phone contact-lists too
Everyone in the EU needs to get all your friends, collegues and others in to give their permission to retain their phone-number and/or e-mail adress.
On the plus-side, it will bring down the percentage of webtraffic that is spam (slightly ;)
[ link to this | view in chronology ]
Re: e-mail / phone contact-lists too
Or not.
Don't you know? All Internet spam is sent by wealthy Nigerian princes.
[ link to this | view in chronology ]
[ link to this | view in chronology ]